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-Abstract- 

We investigate a framework of Krivine realizability with I/O effects, and present a method of 
associating realizability models to specifications on the I/O behavior of processes, by using ad¬ 
equate interpretations of the central concepts of pole and proof-like term. This method does in 
particular allow to associate realizability models to computable functions. 

Following recent work of Streicher and others we show how these models give rise to triposes 
and toposes. 


[T] Introduction 


Krivine realizability with side effects has been introduced by Miquel in HH. In this article 
we demonstrate how an instance of Miquel’s framework including I/O instructions allows 
to associate realizability toposes to specifications, i.e. sets of requirements imposed on the 
I/O behavior of programs. Since the requirement to compute a specific function / can be 
viewed as a specification, we do in particular obtain a way to associate toposes to computable 
functions. 

These toposes are different from traditional ‘Kleene’ realizability toposes such as the 
effective topos [5] in that we associate toposes to individual computable functions, whereas 
the effective topos incorporates all recursive functions on equal footing. Another difference to 
the toposes based on Kleene realizability is that the internal logic of the latter is constructive, 
whereas the present approach is based on Krivine’s realizability interpretation m, which 
validates classical logic. 

To represent specifications we make use of the fact that Krivine’s realizability interpreta¬ 
tion is parametric over a set of processes called the pole. The central observation (Lemma 
and Theorem 281 is that non-trivial specifications on program behavior give rise to poles 


leading to consistent (i.e. non-degenerate) interpretations. 

To give a categorical account of Krivine realizability we follow recent work of Streicher |18j 
and others [niiiniii], which demonstrates how Krivine realizability models give rise to triposes. 
Toposes are then obtained via the tripos-to-topos construction [7]. 

Our basic formalism is an extension of the Krivine machine Q that gives an operational 
semantics to I/O instructions for single bits. We give two formulations of the operational 
semantics - one ([^ in terms of a transition relation on processes including a state (which 
is adequate for reasoning about function computation), and one Q in terms of a labeled 
transition system admitting to reason about program equivalence in terms of bisimulation. 
The two operational semantics are related by Corollary [7j which we use to prove a Turing 


completeness result in Theorem 12 
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Realizability Toposes from Specifications 


1.1 Related work 

The idea of adding instructions with new evaluation rules to the machine plays a central role 
in Krivine’s writings, as a means to realize non-logical axioms. Citing from HD: 

“Indeed, when we realize usual axioms of mathematics, we need to introduce, one 
after the other, the very standard tools in system programming: for the law of Peirce, 
these are continuations (particularly useful for exceptions); for the axiom of dependent 
choice, these are the clock and the process numbering; for the ultrafilter axiom and the 
well ordering o/M, these are no less than I/O instructions on a global memory, in 
other words assignment.” 

Although features like exceptions and memory are often called effects, it is arguable whether 
they should be called side effects, since they do not interact with the outside world. 

The idea to add instructions for side effects which are influenced by - and influence - the 
outside world,p has already been investigated by Miquel m Section 2.2], and our execution 
relation ([^ can be viewed as an instance of his framework. 

What sets the present approach apart is that Miquel views the state of the world 
(represented by a forcing condition) as being part of a process and requires poles to be 
saturated w.r.t. all (including effectful) reductions, whereas for us poles are sets of ‘bare’ 
processes without state, which are saturated only w.r.t. reduction free of side-effects. 

This difference is crucial in that it enables the construction of poles from specifications. 

2 I Syntax and machine 

In this section we recall Krivine’s abstract machine with continuations as described in m- 
We then go on to describe an extension of the syntax by I/O instructions, and describe an 
operational semantics as a transition relation on triples {p, t, o) of process, input, and output. 

2.1 Krivine's machine 

We recall the underlying syntax and machine of Krivine’s classical realizability from m- 
The syntax consists of three syntactic classes called terms, stacks, and processes. 

Terms: t ::= x \ Xx.t | tt | cn | !<.„■ 

Stacks: tt ::= ttq | t-vr t closed, tto € Do (1) 

Processes: p ::=t*n t closed 

Thus, the terms are the terms of the A-calculus, augmented by a constant az for call/cc, and 
continuation terms k,r for any stack tt. A stack, in turn, is a list of closed terms terminated 
by an element ttq of a designated set Ho of stack constants. A process is a pair < * tt of a 

closed term and a stack. The set of closed terms is denoted by A, the set of stacks is 11, and 

the set of processes is A*FI. 

Krivine’s machine is now defined by a transition relation on processes called evaluation. 


(push) 

tU -k TT 

>- 

t k U-TV 

(pop) 

(Aa:. t[x]) * u-n 

>- 

t[M] * TT 

(save) 

Cn ★ t-TT 

>- 

t k kTr-ir 

(restore) 

V.Tr * t-p 

>- 

t k TT 


The first two rules implement weak head reduction of A-terms, and the third and fourth rule 
capture and restore continuations. 
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2.2 The machine with I/O 

To incorporate I/O we modify the syntax as follows: 

Terms: t ::= x | Xx.t | ft | o: | | r | wl | wfl | end 

Stacks: n ::= e \ t-n t closed 

Processes: p ::= t * n \ T t closed 

The grammar for terms is extended by constants r,\/\£),wl,end for reading, writing and 
termination, and in exchange the stack constants are omitted - £ is the empty stack. Finally 
there is a process constant T also representing termination - the presence of both end and T 
will be important in Section 

We write Ae and He for the sets of terms and stacks of the syntax with I/O, and P for 
the set of processes. Furthermore, we denote by Ap the set of pure terms, i.e. terms not 
containing any of r, wfl, wl,end. 

The operational semantics of the extended syntax is given in terms of execution contexts, 
which are triples (p, l, o) of a process p, and a pair i, o G {0,1}* of binary strings representing 
input and output. On these execution contexts, we define the execution relation as follows: 


(t") 

( t-k TT, L, o) 


(u * p, b, o) whenever tk-rr >- uk p 

(rO) 

( r * t-u-v-TT, Or, o) 


{t k TT, b, o) 

(rl) 

( r * t-u-v-TT, It, o) 


(u k TT, b, o) 

(r£) 

( r * t-u-v-TT, e, o) 


(v k TT, e, o) (3) 

(wO) 

( wO * t-TT, L, o) 


{t k TT, b, Oo) 

(wl) 

( wl * t-TT, L, o) 


{t k TT, b, lo) 

(e) 

(end * TT, L, o) 


( T , b, o) 

Thus, if there is neither of r,w0,wl,end 

in head position, the process is reduced as in ([^ 


without changing l and o. If r is in head position, the computation selects one of the first 
three arguments depending on whether the input starts with a 0, a 1, or is empty, wfl and 
wl write out 0 and 1, and end discards the stack and yields T, which represents successful 
termination. 

We observe that the execution relation is deterministic, i.e. for every execution context 
there is at most one transition possible, which is determined by the term in head position, 
and in case of r also by the input. 


2.3 Representing functions 


We view the above formalism as a model of computation that explicitly includes reading of 
input, and writing of output. 

Consequently, when thinking about expressivity we are not so much interested in the 
ability of the machine to transform abstract representations of data like ‘Church numerals’, 
but rather in the functions on binary strings that processes can compute by reading their 
argument from the input, and writing the result to the output. 


► Definition 1. For n G N, bin(n) G {0,1}* is the base 2 representation of n. 0 is represented 
by the empty string, thus we have e.g. bin(O) = e, bin(l) = 1, bin(2) = 10, bin(3) = 11, ... 

A process p is said to implement a partial function / : N ^ N, if (p,bin(n),e) 
(T,£,bin(/(n))) for all n G dom(/). 


► Remark. There is a stronger version of the previous definition which requires (p, bin(n),£) 
to diverge or block for n ^ dom(/), and a completeness result like Thm. 12 can be shown for 
the strengthened definition as well. 
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We use the weaker version, since we expect the poles JL/ defined in Section 5.2.1 to be 
better behaved this way. 


2.4 /3-reduction 

To talk about contraction of single /3-redexes which are not necessarily in head position in a 
process p, we define contexts - which are terms/stacks/processes with a single designated 
hole [•] in term position - by the following grammar: 


Term contexts: 

i[-l 

::= [•] 1 Aa:.t[-] j t[-]t\ tt[-] \ 


Stack contexts: 

7r[-] 

::= t-Tr[-] \ t[-]-7r 

t,t[-] closed 

Process contexts: 

P[-] 

::= t[-] * TT 1 t * 7r[-] 



Contexts are used to talk about substitution that allows capturing of variables - as described 
in P 2.1.18], given a context t[’]/7’‘[-]/p[-] and a term u, t[u]/7r[it]/p[u] is the result of replacing 
the hole [•] in t[-]/7r[-]/p[-] by u, allowing potential free variables in u to be captured. We say 
that u is admissible for t[-]/7r[-]/p[-], if t[u]/7r[u]/p[u] is a valid term/stack/process conforming 
to the closedness condition for terms making up stacks. 

Now we can express /3-reduction as the action of contracting a single redex: given a redex 
{Xx.u)v which is admissible for a context t[-]/7r[-]/p[-], we have 

f[(Aa:. m)u] -^i 3 t[it[u/x]] 7r[(Aa:. u/u] 7r[u[w/a:]] p[iXx . u)u] p[u[u/x]], 

and any single /3-reduction can uniquely be written this way. /3-equivalence ~/3 is the 
equivalence relation generated by /3-reduction. 


3 


Bisimulation and T-equivalence 


To reason efficiently about execution of processes with side effects - in particular to show 
Turing completeness in Section]^- we want to show that although the computation model 
imposes a deterministic reduction strategy, we can perform /3-reduction anywhere in a process 
without changing its I/O behavior. 

The natural choice of concept to capture ‘equivalence of I/O behavior’ is weak bisimilarity 
(see usi Section 4.2]), and in order to make this applicable to processes we have to reformulate 
the operational semantics as a labeled transition system (LTS). 

We use the set C = {rO, rl, re,wO,wl,e} of labels, where rO, rl represent reading of a 0 or 
1, respectively, and wO, wl represent writing of bits, re represents the unsuccessful attempt 
of reading on empty input, and e represents successful termination. The set Act = £ U {r} 
of actions contains the labels as well as the symbol r representing a ‘silent’ transition, that 
is used to represent effect-free evaluation. 

The transition system on processes is now given as follows. 


{Xx . t[x])-kt-'!T 

T 

—> 

t[ii\ *7r 

rkt 

tu-klT 

T 

—> 

tkU-TT 

r-kt 

aZ-kt-TT 

T 

—> 

t-kk^^-TT 

r-kt 

k^r 

T 

—> 

t-kTT 



U-V-7T 

rO^ 

tirTT 

v\Dkt-Tr 

wO^ 

t *7r 

U-V-7T 

rl^ 

UirTT 

Wlkt-TT 

wl^ 

t-kn 

U'V'TT 


V-kTT 

end *7r 

e 

—)• 

T 


( 4 ) 


Observe that the r-transitions are in correspondence with the transitions of the evaluation 
relation ([^, and the labeled transitions correspond to the remaining transitions of the 
execution relation 

We now recall the definition of weak bisimulation relation from |18l Section 4.2]. 
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► Definition 2. 

H For processes p, q we write p ^ q for p -4-* q, and for a ^ t we write p ^ q for 
dp ,q.p^p —y q (?. 

H A weak bisimulation on P is a binary relation i? C such that for all a G Act and 
(p, q) G R we have 

p p' => 3q' .q ^ q' A (p', g') € R and 

( 5 ) 

q^q' => dp'.p^p' A (p',(?') G i?. 

H Two processes p, g are called weakly bisimilar (written p « g), if there exists a weak 
bisimulation relation R with (p, g) S i?. 

We recall the following important properties of the weak bisimilarity relation «. 

► Lemma 3. Weak bisimilarity is itself a weak bisimulation, and furthermore it is an 

equivalence relation. 

Proof. [131 Proposition 4.2.7] ◄ 


To show that /3-equivalent processes are bisimilar, we have to find a bisimulation relation 
containing ,5-equivalence. The following relation does the job. 

► Definition 4 (y-equivalence). y-equivalence (written p g) is the equivalence relation on 
processes that is generated by /3-reduction and r-transitions. 


► Lemma 5. "j-equivalence of processes is a weak bisimulation. 

Proof. It is sufficient to verify conditions ([^ on the generators of 7 -equivalence, i.e. one-step 
/3-reductions and r-transitions. Therefore we show the following: 

1 . if p -A- g and p p' then there exists q' with q ^ q' and p' q' 

2 . if p -4 g and q ^ q' then there exists p' with p ^ p' and p' q' 

3. if p — g and p ^ p' then there exists g' with q ^ q' and p' g' 

4. if p —g and q ^ q' then there exists p' with p ^ p' and p' ~.y q' 

In the first case, the fact that the LTS can only branch if r is in head position, and this 
does not involve r-transitions, implies that a = t and p' = g, and we can choose g' = g as 
well. In the second case we have p ^ g' and thus can choose p' = q'. 


For cases 3 and 4, which we treat simultaneously, we have to analyze the structure of p 
and g, which are of the form r[(Aa;. s)t] and r[s[t/a;]] for some context r[-] (see Section 2.4|. 
The proof proceeds by cases on the structure of r[-]. 

If r[-] is of either of the forms (st* 7 r )[-0 vv 0 * 7 r[-], wl 7 k- 7 r[-], (r* 7 r[-], (k,r*p)[’]i or end 7 k- 7 r[-], 
then it is immediately evident that p and g can perform the same unique transition (if any), 
and the results will again be /3-equivalent (possibly trivially, since the redex can get deleted 
in the transition). 

If r[-] is of the form {{Xy .u) * 7 r)[-] then this is true as well, regardless of whether the 
hole is in u or in tt (here the redex can be duplicated, if the hole is in the first term in tt). 

If r[-] is of the form r* 7 r[-] then several transitions may be possible, but any transition 
taken by either of p or g can also be taken by the other, and the results will again be 
/3-equivalent. 


1 


The notation is meant to convey that we don’t care if the hole is in s, t, or tt. 
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It remains to consider r[-] of the form In this case, p = (Ax . s)t*7r and q = s[t/x]*7r. 

Here p can perform the transition p ^ (Ax . s) * t-Tv which can be matched hy q ^ q where 
we have (Ax . s) -kt-n p q. In the other direction we have p ^ q' for every q ^ q' since 
p ^ q. ◄ 

The following definition and corollary makes the link between the execution relation 0) and 
the LTS (0. 

► Definition 6. Two execution contexts (p, i, o), {q,i',o') are called T-equivalent (written 

(p, i, o) {q, o')), if for all i", o" G {0,1}* we have 

(p, G o) (T, o") iff (g,o') (T, d', o"). 

► Corollary 7. 

1. p ^ q implies (p, t, o) ~t (?, i, o) for all i,o G {0, 1}* . 

2. {p,L,o) {q,i',o') implies (p, o) {q,i-',o'). 

3. (p, t,o) ~T (T,i',o') implies (p, o) (T,(,',o'). 

Proof. For the first claim we show that 

p^q, (p,i,o)(T,(.',o') implies (g, i, o)(T, i', o') 

by induction on the length of (p, i, o) (T, o'). The base case is clear. For the induction 

step assume that (p, t, o) {p*,L*,o*) (T, t', o'). If the initial transition is a (r) in the 

execution relation then have p* = q, l* = i and o* = o, and we can apply the induction 
hypothesis. If the initial transition corresponds to another clause in (|^, then there is a 
corresponding transition p ^ q with a G C in the LTS (|^ , and by bisimilarity there exists a 
q* with q^ q* and p* « g*. Now the induction hypothesis implies {q*,L*,o*) (T, F, o'), 

and from q ^ q* we can deduce (g, l, o) (g*, i*, o*) by cases on a. 

The second claim follows since -w is deterministic. 

The third claim follows since (T, t', o') can not perform any more transitions. ◄ 

Expressivity 

In this section we show that the machine with I/O is Turing complete, i.e. that every 
computable / : N ^ N can be implemented in the sense of Def. Eby a process p. 

Roughly speaking, given /, we define a process p that reads the input, transforms it into 
a Church numeral, applies a term t that computes / on the level of Church numerals, and 
then writes the result out. 

To decompose the task we define terms R and W for reading and writing, with the 
properties that (i? * tt, bin(?T,), o) (n*7r,e, o) (n is the n-th Church numeral), and 
{Wn * TT, t, e) (T, i, bin(n)) for all n G N. 

Now the naive first attempt to combine R and W with the term t computing the function 
would be something like W{tR), but this would only work if the operational semantics was 
call by value. The solution is to use Krivine’s storage operators [5] which where devised 
precisely to simulate call by value in call by name, and we use a variation of them. 

The following definition introduces the terms R and IF, after giving some auxiliary 
definitions. 
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► Definition 8. E, Z, B, C, H, Y, S are A-terms satisfying 


Bn 2n 

E{2n)st —ps Yt~pt{Yt) 

C n 2n+ 1 

E {2n + 1) s t t 

Flnc^p floor(n/2) 

Z (0) st s 

Sn crLp n + 1 

Z (n+ 1) st t 


for all terms s,t and n € N, where n is the Church numeral \fx. /"a;0 
The terms F, R, W are defined as follows: 

F = Xhy^h{Syf\ 

R =YQ0 where Q = Xxn. r{x{B n)){x{Cn))n 
W = YV where V = Xxn . Z nendi{E n{\/^ x{H n)){\Nl x{F[ n))) 

The next three lemmas explain the roles of the terms R, F, and W. 

► Lemma 9. For all n gN, it G H and o G {0,1}* we have {R-kn, bin(n), o) ~t (n* tt, e, o). 

Proof. For all n G N we have YQne^p Q(YQ)n r(YQ{2n)){YQ{2n + l))n, and thus 

{YQfikTr,e,o) ~t (n*7r,£,o) 

(YQnkTr,0i,,o) ~t {YQ (2n) k n, l, o) 

{YQnkTr,lL,o) {Z Q {2n + 1) * tt, l, o) 

The claim follows by induction on the length of bin(n), since bin(2n) = bin(n)0 for n > 0, 
and bin(2n + 1) = bin(n)l. ◄ 

► Lemma 10. For n G N and t any closed term, we have nFtO tfi. 

Proof. This is because nF tQ F'^ tQ tn, where the second step can be 

shown by induction on n. ◄ 

► Lemma 11. For all n gN, t: G U and t G {0,1}* we have {Wnk w, c, e) ~t (T, l, bin(n)). 
Proof. We have Wh VWn:^i 3 Znend{Efi{\i\DW{F[n)){wlW{Hn))), and therefore 

(bF0*7r, t,o) (end * TT, i, o) ~t 

(W (2n) k TT, L, o) (wD VF(i7 (2n)) * TT, o) {W{n) k tt, l,0o) for (n > 0) 

(W (2n + 1) * TT, L, o) (wl W (iJ {2n + 1)) * tt, t, o) {W(n) k tt, l, lo). 

The claim follows again by induction on the length of bin(n). ◄ 

► Theorem 12. Every computable function / : N ^ N can be implemented by a process p. 

Proof. From Thm. 4.23] we know that there exists a term t with tn f{n) for 
n G dom(f). The process p is given by R k F-t-O-F-W-0. Indeed, for n G dom(/) we have 

(i?*F"d-0-F-kF-0,bin(n),e) (nkF-t-0-F-W-0,£,e) (nFt0kF-W-0,£,£) 

-T (tnkF-W-0,£,£) -T (7(n)kF-W-0,£,£) 

-T (W /(n) * e, e, e) -t (T, £, bin(/(n))) 

and we deduce {Rk F-t-0-F-W-d,hin{n),£) (T,e, bin(/(n))) by Corollary |^3. ◄ 


^ Such terms exist by elementary A-calculus, see e.g. |5] Chapters 3,4]. In particular, Y is known as fixed 
point operator. 

® This is (part of) a storage operator for Church numerals [5]. 
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Realizability and triposes 


The aim of this section is to describe how the presence of I/O instructions allows to define 
new realizability models, which we do in the categorical language of triposes and toposes En¬ 
in Subsection |5.1| we give a categorical reading of Krivine’s realizability interpretation as 


described in m and show how it gives rise to triposes. In Subsection |5 . 2| we show how the 
definitions can be adapted to the syntax and machine with I/O, and how this allows us to 
define new realizability models from specifications. 

The interpretation of Krivine realizability in terms of triposes is due to Stretcher m, 
and has further been explored in [5]. However, the presentation here is more straightforward 
since the constructions and proofs do not rely on ordered eombinatory algebras, but directly 
rephrase Krivine’s constructions categorically. 


5.1 Krivine's classical realizability 

Throughout this subsection we work with the syntax Q without I/O instructions but with 
stack constants. 

Krivine’s realizability interpretation is always given relative to a set of processes called a 
‘pole’ - the choice of pole determines the interpretation. 

► Definition 13. A pole is a set _1L C A*n of processes which is saturated, in the sense that 
p G JL and p' >- p implies p' G JL. 

As Miquel m demonstrated, the pole can be seen as playing the role of the parameter R in 
Friedman’s negative translation [3]. In the following we assume that a pole JL is fixed. 

A truth value is by definition a set S' C FI of stacks. Given a truth value S and a term t, 

we write t Ih S - and say H realizes S’ - if Vtt G S . t*7r G JL. We write S"*^ = {t G A | t Ih S} 

for the set of realizers of □. So unlike in Kleene realizability the elements of a truth value 
are not its realizers - they should rather be seen as ‘refutations’, and indeed larger subsets 
of n represent ‘falser’ truth value^ in particular falsity is defined as 

T = n. 

Given truth values S, T C □, we define the implication S T as follows. 

S^T = S^-T={s-tt\ s\h S,ttGT} 

With these definitions we can formulate the following lemma, which relates refutations of a 
truth value S with realizers of its negation. 

► Lemma 14. Given tt G S' C □, we have k^r lb S T. 

Proof. We have to show that k,r * t-p G JL for all t Ih S and p G FI. This is because 

kjr *t-p y t-k TT, where tt G S and t Ih S. < 

A (semantic) predicate on a set / is a function </?:/—>■ P(FI) from I to truth values. On 
semantic predicates we define the basic logical operations of falsity, implication, universal 


For this reason, Miquel [mns] calls the elements of Tfn) falsity values. 
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quantification, and reindexing by 

_L(i) = n (falsity) 

{(p '*/’)(*) = '^(*) = (implication) 

^/(^)(*) = (universal quantification) 

f*tp = pof (reindexing) 

for (/?,■)/):/ —7> ^’(n), 9 : J ^ ^’(n) and f : J ^ I. Thus, for any function f : J ^ I, the 
function V/ (called ‘universal quantification along /’) maps predicates on J to predicates on 
and the function /* (called ‘reindexing along /’) maps predicates on I to predicate on J. 
We write V/ for universal quantification along the terminal projection / —>■ 1. 

Next, we come to the concept of ‘truth/validity’ of the interpretation. We can not simply 
call a truth value ‘true’ if it has a realizer - this would lead to inconsistency as soon as the 
pole _IL is nonempty, since k^^t Ih _L for any process t * tt S JL. The solution is to single out a 
set PL of ‘well-behaved’ realizers called ‘proof-like terms’. We recall the definition from m- 


► Definition 15. The set PL C A of proof-like terms is the set of terms t that do not contain 
any continuations k^^. 


As Krivine [la pg. 2] points out, t is a proof-like term if and only if it does not contain any 
stack constant ttq € Dq (since continuation terms k^r necessarily contain a stack constant at 
the end of tt, and conversely stacks can only occur as continuations in a term). 

Proof-like terms give us a concept of logical validity - a truth value S is called valid, if 
there exists a proof-like term t with t Ih S. 

With this notion, we are ready to define the centerpiece of the realizability model, which 
is the entailment relation on predicates. 


► Definition 16. For any set I and integer n, the (n -h l)-ary entailment relation (h/) on 
predicates on I is defined by 


cpi... (fin 4’ if only if G PL . t Ih \/l{ipi ^ ^ (fin ^ 4’)- 


If the right hand side proposition holds, we call t a realizer of pi... pn h/ if. 

Thus, Pi... pn \~i ip means that the truth value V/(y)i => ... is valid. More 

explicitly this can be written out as 

3t G PL Vz G I, Ui G pi{i)'^,... ,Un G pn(i)'^,Tr G ipi^) - t^Ui-.. .-Un-Tr G JL. 

With the aim to show that the semantic predicates form a tripos in Theorem |22[ we now 
prove that the entailment ordering models the logical rules in Table Q . The first eight rules 
form a standard natural deduction system for (the T, => fragment of) classical propositional 
logic, but for universal quantification we give categorically inspired rules that bring us quicker 
to where we want, and in particular avoid having to deal with variables. 

► Lemma 17. The rules displayed in Tableware admissible for the entailment relation, in 
the sense that if the hypotheses hold then so does the conclusion. 


® The usual Va;: A from predicate logic corresponds to taking / to be a projection map tti : F x A —> F, 
see e.g. [H] Chapter 4]. 
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ip 

V,ip\-i Ip 
T \-1 ip ^ Ip 

rh/ y. 

<T(r) h/ p, 

T'riP, 

rr hj e 


r h, V/C 


(Ax) 

(S) 

(W) 

(VI) 


rh/ A 


rhi v> 

V \-i Ip A h/ '))> 

r,Ahj0 


(AE) 


r h/ (('0 ^ A) ^ V’) 

A,A,rhi v> 


(=>E) 
(PeL) 


%p 


A,V'mP 

r V/ V/C 

rrhj^ 


(C) 


(VE) 


if, Ip, 9 are predicates on I, i.e. functions / —>■ -P(n), and T = ipi ... ipn and A = ipi... iprn 
are lists of such predicates. ^ is a predicate on J, and / : J —)■ / is a function, cr is 
a permutation of n}. f*T is an abbreviation for f*ipi ... f*ipn, and cr(r) is an 

abbreviation for ipa{i} ■ ■ ■ ‘Pa{n)- 


M Table 1 Admissible rules for the entailment relation. 


Proof. (Ax) rule: The conclusion is realized by Xx.x. 

(AE) rule: every realizer of the hypothesis is also a realizer of the conclusion, since 
^(i) C A(i) = n for all i G I. 

(=J>I) rule: the hypothesis and the conclusion have precisely the same realizers. 

(^E) rule: if t realizes A hj ip ^ 9 and u realizes T hi ip then E, A 0 is realized by 

Axi . . . Xnyi ...ym-tyi... ym{uXi ...Xn)- 

(PeL) rule (‘Peirce’s law’): the conclusion is realized by cc. To see this, let i G I, 
t Ih {ip{i) => A) V’(0; and tt G ip{i). Then we have az-kt-n A t*k,n.-7r, which is in JL since 
kjr’TT G {ip{i) => A) => ip{i) by Lemma [ m] and the definition ([^ of implication. 

(W) rule: if t realizes T h/ ip, then Xx. t realizes A, T hj ip. 

(C) rule: if t realizes A, A, T h/ ip, then Xx . txx realizes A, T h/ ip. 

(S) rule: if t realizes T h/ ip, then Aa;o.(i) ...a:(T(n) ■ t^i .. .Xn realizes cr(r) h/ ip. 

(VI) and (VE) rules: T h/ V/^ and /*r \~j ^ have exactly the same realizers. Indeed, a 
realizer of /*r hj ^ is a term t satisfying 

Vj G J,Ui G ipiifij))-^, ...,UnG iPn{f{j))'^,Tr G C(j) A*ur .. .-Un-n G A_, 

and a realizer of T L,/ is a term t satisfying 

Vi G I, ui G ifiiiP)-^, ...,u„G ipn{i)-^,Tr G [jf{j}=i^U) - tkui-.. .-Un-n G JL, 

and both statements can be rephrased as a quantification over pairs (i,j) with f{j) = i. ◄ 

We only defined the propositional connectives T,=>, since T,A,V,-' can be encoded as 
follows: 

T = A ^ A ^if = ip ^ A 

ipXip = (</?=>('!/:=> A)) => A ipM Ip = ((^=>A)=J>'0 

With these encodings it is routine to show the following. 














J. Frey 


11 


► Lemma 18. With the connectives T,A,\/,^ encoded as in Q, the rules of propositional 
classical natural deduction (e.g. system Nc in U9[ Section 2.1.8]) are derivable from the rules 
in Table[J\ 


With this we can show that for any set I, the binary part of the entailment relation 
makes P(n)^ into a Boolean prealgebra. 

► Definition 19. A Boolean prealgebra is a preorder {B, <) which 

1. has binary joins and meets - denoted hy xV y and x Ay for x,y G D, 

2. has a least element _L and a greatest element T, 

3 . is distributive in the sense that x A{y\/ z) = {x Ay)\J {x A z) for all x,y,z G B, and 

4 . is complemented, i.e. for every x G D there exists a -^x with x A -'X = _L and x V -^x = T. 

► Lemma 20. Writing <p < ip for (p h/ ip, (P(n)^, <) is a Boolean prealgebra. 


Proof. The (Ax) rule implies that < is reflexive, and transitivity follows from the derivation 
iPGiO 

If \-1 Ip \-i Ip ^ 0 . 
ip\-i 6 

Thus, < is a preorder on P(n)'^. 

The joins, meets, complements, and least and greatest element are given by the corre¬ 
sponding logical operations as defined in ^ and (|^. 

The required properties all follow from derivability of corresponding entailments and 
rules in classical natural deduction - for example, A "0 is a binary meet of p and ip since 

(*) the entailments p Aip \-j p and p A ip \-j ip and the rule 

9\-i p Alp 


are derivable. 

Distributivity follows from derivability of the entailments p A {ipW 9) \-j {p Aip)\/ {p A 9) 
and {p Aip)\/ {p A9 )'Gi p A{ipy 9). ◄ 


We now come to triposes, which are a kind categorical model for higher order logic. We use 
a ‘strictified’ version of the original definition [T] Def. 1.2] since this bypasses some subtleties 
and is sufficient for our purposes. Furthermore, we are only interested modeling classical 
logic here, and thus can restrict attention to triposes whose fibers are Boolean (instead of 
Hey ting) prealgebras. 

► Definition 21. A sinc|^ Boolean tripos is a contravariant functor CP : Set°'’ -G Ord from 
the category of sets to the category of preorders such that 

H for every set I, the preorder CP(/) is a Boolean prealgebra, and for any function f : J —>■ I, 
the induced monotone map CP(/) : CP(/) —> CP( J) preserves all Boolean prealgebra structure. 
H for any / : J — >• /, CP(/) has left and right adjoint^ 3j 3 CP(/) 3 V/ such that 

for any pullback squar^ js (8) 


® ‘Strict’ refers to the facts that (i) CP is a functor, not merely a pseudofunctor (ii) the Boolean prealgebra 
structure is preserved ‘on the nose’ by the monotone maps 1P(/) (iii) the Beck-Chevalley condition is 
required up to equality, not merely isomorphism, (iv) we require equality and uniqueness in the last 
condition. Every strict tripos is a tripos in the usual sense, and conversely it can be shown that any 
tripos is equivalent to a strict one. 

^ ‘Adjoint’ in the sense of ‘adjoint functor’, where monotone maps are viewed as functors between 
degenerate categories. 
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we have CP(g) o V/ = o CP(p) (this is the Beck-Chevalley condition), and 
H there exists a generic predicate, i.e. a set Prop and an element tr G iP(Prop) such that for 
every set / and (p G CP(/) there exists a unique function f : I -G Prop with iP(/)(tr) = p. 

The assignment / (T’(n)^,<) extends to a functor tPji : Set°'’ Ord by letting 

J’x(/) = /*, he. mapping every function / : J —> / to the reindexing function along /, which 
is monotone since every realizer of h/ '0 is also a realizer of pofGjipof. 


► Theorem 22. is a strict Boolean tripos. 


Proof. We have shown in Lemma 20 that the preorders (P(n)'', <) are Boolean prealgebras. 
It is immediate from ([^ that the reindexing functions f* preserve _L and =>, and the other 
Boolean operations are preserved since they are given by encodings. 

The identity function id : P(n) —J. P(n) is a generic predicate for 

The (VI) and (VE) rules together imply that the operation V/ : P(n)'^ —> P(n)''^ is right 
adjoint to /* for any / : J —>• J. Existential quantification along / : J —>• / is given by 
3/ = -'oV/o-i, which is left adjoint to /* since 


-Gif^p \-i'tjj iff ->'0 h/iff hjiff -^f*ijj\-j^p iff p\-jf*tj} 


for all 93 : J —>■ P(n) and "0 : / —>■ P(n). 

It remains to verify the Beck-Chevalley condition. Given a square as in (|^ we have 
g*\ff{p{k)) = U{V5(i) I f{j) = g{k)} and Vq(p*(fc)) = U{v(i) I 3l.pl=jAql = k}, 


and the two terms are equal since the square is a pullback. ◄ 

Thus we obtain a tripos Tji for each pole _1L. As Hyland, Johnstone, and Pitts showed in [7], 
every tripos IP gives rise to a topos Set [CP] via the tripos-to-topos construction. Since the 
fibers of the triposes 7ji are Boolean prealgebras, the toposes Set[CP_ii_] are Boolean as well, 
which means that their internal logic is classical. 


5.1.1 Consistency 

Triposes of the form CPjl can be degenerate in two ways: if if is empty then CP_ir(/) ~ (P(J), C) 
for every set I, and the topos Set[CP_iL] is equivalent to the category Set. 

If, in the other extreme, the pole is so big that there exists a proof-like t realizing T, 
i.e. falsity is valid in the model, then we have CP_il(J) — 1 for all I (since t realizes every 
entailment p\-i tf), and the topos Set [CPjl] is equivalent to the terminal category. 

By consistency we mean that falsity is not valid, or equivalently that 

Vt € PL Btt G n . t * TT ^ JL. (9) 

The ‘canonical’ (according to Krivine [12] 1 non-trivial consistent pole is the thread model, 
which is given by postulating a stack constant nt for each proof-like term t, and defining 
-IL = {p G A*n j -<3t G PL . t * TTj p}. Then the processes t-k-wt are not in iL for any 
proof-like t, which ensures the validity of condition ^. 

In the next section we show how the presence of side effects allows to define a variety of 
new, ‘meaningful’ consistent poles. 


8 


The square being a pullback means that f o p = g o q and Vjfc . f{j) — g{k) 3!1 .p{l) = J A q{l) = k. 
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5.2 Krivine realizability with I/O 

The developments of the previous section generalize pretty much directly to the syntax with 
I/O. Concretely, we carry over the definitions of pole, truth value, realizer, predicate, and of 
the basic logical operations _L,=>,V, by replacing A with Ag, FI with Re, and A*n with P. 

We point out that in presence of effects, Definitiononly means that JL is saturated 
w.r.t. effect-free evaluation, in contrast to Miquel’s approach m where a pole is a set of 
(what we call) execution contexts, closed under the entire execution relation. 

The concept of proof-like term deserves some reexamination. It turns out that the 
appropriate concept of proof-like term is ‘term not containing any side effects’. This is 
consistent with Definition [T^ if we read ‘free of side effects’ as ‘free of non-logical constructs’, 
which are the stack constants in Krivine’s case. Continuation terms, on the other hand, can 
be considered proof-like. We redefine therefore: 

► Definition 23. The set PL C Ae of proof-like terms is the set of terms not containing any 
of the constants r, vvO, wl, end. 

With this rephrased definition of proof-like term, we can define the entailment relation on 
the extended predicates in the same way: 

► Definition 24. For any set I and integer n, the (n -|- l)-ary entailment relation (h/) on 
the set P{UeY of extended predicates on I is defined by 

(fi... ifn if if and only if £ PL . t Ih V/(VJ1 ^ ^ (fin ^ if)- 


As a special case, the ordering on extended predicates is defined by 
(fi < if if and only if S PL . t Ih V/((/7 => if). 


With these definitions, we can state analogues of Lemma 20 and Theorem 22 


► Theorem 25. 

H For each set I, the order (T’(ne)'^,<) of extended predicates is a Boolean prealgebra. 

H The assignment 1 1— >■ (P(ne)^, <) gives rise to a strict Boolean tripos Tji : Set°*’ — >■ Ord. 


Proof. This follows from the arguments in Section [5.1[ since the proofs of Lemmas EHZl 
|18|20[ and of Theorem are not obstructed in any way by the new constants, nor do they 
rely on stack constants. The redefinition of ‘proof-like term’ does not cause any problems 
either, since we never relied on proof-like terms not containing continuation terms. ◄ 


The above rephrasing of the definition of proof-like term admits an intuitive reformulation 
of the consistency criterion @: 

► Lemma 26. A pole _1L is consistent if and only if every p G _1L \ {T} contains a non-logical 
constant, i.e. one o/ r,wD,wl,end. 

Proof. If every element of p G _1L\{T} contains a non-logical constant, then t *e is not in 
iL for any proof-like t, which implies (§. 

On the other hand, if t * tt G JL does not contain any non-logical constant then k^^t is a 
proof-like term which realizes _L, since for any p G Re we have k^^ti^p >- k,r*bp t*7r G iL. ◄ 








14 


Realizability Toposes from Specifications 


5.2.1 Poles from specifications 

The connection between poles and specifications is established by the following lemma. 

► Lemma 27. Every set JL of processes that is closed under weak hisimilarity is a pole. 

Proof. This is because p ~ q whenever p y q, which follows from Lemma ◄ 

Since we can assume that for any reasonable specification the processes implementing it are 
closed under weak bisimilarity, we can thus conclude that for any specification, the set of 
processes implementing it is a pole. For example: 

M JLcp is the set of processes that read the input, copy every bit immediately to the output, 
and terminate when the input is empty. We have Y * (Ax . r(w£) x)(wl x)end) G JLcp. 

H JLcp' contains the processes that first read the entire input, and then write out the same 
string and terminate. We have R-kF-W-0 G JLcp' with the notations of Section]^ 

H For any partial function / : N ^ N, the pole JL f consists of those processes that implement 
/ in the sense of Definition [l] 

H Since poles are closed under unions, we can define the pole JLf = JL/ for any set 

F C (N^N) of partial functions. 


5.2.2 Toposes from computable functions 

We are particularly interested in the poles JL/ associated to computable functions /, and we 
want to use the associated triposes T/ = Tjiy and toposes Set[lP/] to study these functions. 

The following theorem provides a first ‘sanity check’, in showing that the associated 
models are non-degenerate. 


► Theorem 28. Let / : N ^ N. 

H JL/ is consistent if and only if f is not totally undefined. 
H JL/ is non-empty if and only if f is computable. 


Proof. The first claim follows from Lemma 26 If n G dom(/) and t* n implements /, then 
(t*TT,bin(n),e) must terminate and thus t-kn must contain an end instruction. The totally 
undefined function, on the other hand, is by definition implemented by every process. 

For the second claim, we have shown in Theorem that every computable / is imple¬ 
mented by some process. Conversely, every implementable function is computable since the 
Krivine machine with I/O is an effective model of computation. ◄ 


5.3 Discussion and future work 

The structure and properties of the toposes Set [IP/] remain mysterious for the moment, and 
in future work we want to explore which kind of properties of / are reflected in Set[T/]. In 
the spirit of Grothendieck |3] we want to view the toposes Set[J’/] as geometric rather than 
logical objects, the guiding intuition being that Set[lP/] can be seen as representation of ‘the 
space of solutions to the algorithmic problem of computing f encoding e.g. information on 
how algorithms computing / can be decomposed into simpler parts. 

Evident problems to investigate are to understand the lattice of truth values in Set [CP/], 
and to determine for which pairs /, g of functions the associated toposes are equivalent, and 
which functions can be separated. 

A more audacious goal is to explore whether Set [CP/] can teach us something about the 
complexity of a computable function /. The Krivine machine with I/O seems to be a model 
of computation that is fine grained enough to recognize and differentiate time complexity 



J. Frey 


15 


of different implementations of /, but it remains to be seen in how far this information is 

reflected in the ‘geometry’ of Set [IP/]. 
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